Cisco IDS Sensor Deployment Considerations

When installing your Cisco IDS, you must determine where to place IDS Sensors to watch the traffic on your network. The first step is to analyze your network topology and identify the critical components on your network. Earl Carter describes the steps you must follow to guarantee the success of your Cisco IDS installation.

From the author of

From the author of

Cisco IDS sensors form the eyes and ears of your Cisco network intrusion detection system. Placing sensors correctly throughout your network is crucial to successfully implementing your Cisco intrusion detection system. Before deploying your sensors, however, you must thoroughly understand your network topology, as well as the critical systems on your network that attackers will attempt to compromise. Even after you have identified the locations on your network where you plan to deploy your sensors, you still need to decide on how to configure these sensors to maximize their effectiveness toward protecting your network.

Analyzing Your Network Topology

Before you can even begin to start deciding where to deploy Cisco IDS sensors on your network, you must analyze your network topology. Some of the key factors to consider when conducting this analysis are the following:

Internet entry/access points

Extranet entry points

Remote access

Intranet separation

Almost all networks provide some type of connectivity to the Internet. This connectivity, however, is also a prime target for millions of potential attackers. Therefore, the first place that you should protect with your Cisco IDS is your organization's Internet connection. When analyzing connections with the Internet, it is easy to stop at the main Internet access point. To correctly protect your network, however, you need to make sure that you identify all possible Internet connections.

Once you have identified your Internet entry points, you need to determine connections that you have with other organizations. These connections are sometimes referred to as extranet connections. These connections are usually associated with business partners or other organizations that your organization needs to communicate with on a regular basis. These connections open up your network to attack via the organizations that you conduct business with. It also opens up the possibility that an attacker can attack these organizations via your network, which opens up many interesting legal issues.

More and more employees are starting to telecommute. Furthermore, more employees also need to maintain access to their local networks when they are traveling. Both of these situations require you to establish some form of remote access capability on your network. Remote access, however, is another prime target for attackers. Mapping out all of your remote access entry points into your networks is vital to successfully securing your network against attack. This includes all modems connected to your network.

The final area that you need to analyze on your network topology deals with internal separation points. Most organizations are divided into multiple departments. Each of these departments probably shares some common servers, such as DNS and email. Similarly, these organizations usually utilize some departmental servers that should be accessed only by specific users. To enforce your organization's security policy, you must clearly understand where these departmental boundaries lie. Furthermore, you must clearly understand what traffic is allowed and what traffic is not allowed to cross these internal barriers.